Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Oct 2015 14:29:30 +0200
From: Matthijs Kooijman <>
Subject: CVE request - perl library UI::Dialog 1.09 - shell escaping

Hi folks,

can you please assign a CVE for the UI::Dialog perl library? I
(re)discovered a flaw that allows arbitrary command execution when the
library is given untrusted strings to show in a menu prompt.

The flaw was initially reported in 2008 at but it seems
this never reached upstream. I recently reported the bug upstream, see that report
for some additional details.

Upstream has indicated to be working on a fix (see upstream bug), but no
patches are available yet.

Impact seems limited, I'm not aware of any well-known programs that use
this library and are vulnerable (only two Debian packages depend on it,
both use a UI::Dialog backend that is unaffected).



Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ